Reshaping the risk taxonomy

Climate change, technological innovation, geopolitical tensions and uncertainties in international trade, aging populations, social unrest and a decline in institutional trust: these developments are disrupting traditional business models and threatening their resilience. And your people are in the eye of the storm, making human behaviour pivotal for your success.

From global to local: what does this have to do with my risk taxonomy?

'What has all this got to do with my risk taxonomy? That is just another risk policy, right?' Well, I would argue it has got everything to do with it. And no, it is not just another policy, but a cornerstone of your risk management, and therefore of your survival as an organisation in a changing world.

It is vital to have a comprehensive insight into all risks relevant for your business. Today, but also tomorrow. Only then can you decide how to organise yourself, make sure you have the right skills on board, prioritise the risks that matter most, invest where you should, and take sound and strategic business decisions.

In this blog I explore the role of the risk taxonomy in anticipating and responding to new and emerging risks.

What is a risk taxonomy and why does it matter? 

Taxonomies have their origin in science, for example in biology, and are a form of classification, for example of plants and animals. Or, if you are more like me and prefer chemistry, the periodic table of elements. In Risk we classify material risks an organisation faces in a so-called risk taxonomy. This helps an organisation prioritise and manage risks. The risk taxonomy is the starting point for your risk strategy and risk appetite, your risk limits and thresholds, your risk policies and procedures.

As such, the risk taxonomy is a catalyst which can prompt change in other areas of risk management. Furthermore, if a certain risk type is explicitly included in the taxonomy, it tends to receive more management attention, dedicated budget and skilled employees. In short, if it is in the risk taxonomy, it gets managed.

Current risk taxonomies are outdated 

Now what’s the point? My assertion is that chances are your risk taxonomy is outdated. When working with organisations as a risk consultant, I see that most taxonomies focus on yesterday’s risks, not tomorrow’s, and are therefore insufficiently forward-looking. Or, even if new and emerging risk types are included, they tend to be buried somewhere in the traditional hierarchy of a risk taxonomy.

Within the myriad of new and emerging risks, let’s perhaps focus on three of the most important ones, i.e. climate risk, cyber risk and conduct risk (the ‘triple c’), and ask yourself where they are in your risk taxonomy. Is environmental and climate risk one of the most important risk categories in your taxonomy? Because it should be.

Is cyber risk hiding as a sub-risk of IT or technology risk, which in turn is a sub-risk of operational risk? That’s not good enough. Is conduct and behavioural risk even anywhere in your taxonomy, or is it shoved under compliance risk somewhere? That’s not the same. These new and emerging risks need significantly more attention, and this isn’t happening, or at least not fast enough.

Saying goodbye to the dichotomy between financial and non-financial risks

In most instances, for example at financial institutions I see taxonomies that start with differentiating between financial risk and non-financial risk. I don’t think that is very meaningful. To give you an example: is climate risk financial or non-financial? Isn’t the impact of conduct risk in the end also financial? 

You might argue that in these examples the classification is based on the source of risk, not the type of impact. But is the source of credit risk financial? Reasons for a non-performing loan can be manifold, not just financial. My point is, these so-called non-financial risks and other types of new risks are undervalued.

Another example to illustrate this, especially in banking, is that I still see risk taxonomies (and corresponding organisational charts of Risk functions) that only differentiate between credit risk, market risk and operational risk, the latter meaning ‘the rest’. That is definitely not reflecting the ‘risk reality’ of today’s world anymore, and leads to seriously insufficient attention for new risks like climate, cyber and conduct risk.

And classification does matter. Going back to the example of the periodic table of elements, do you feel it would make a difference for science and our lives if we had stopped at gases, metals and ‘some other elements’, and left it at that? Or would it have mattered if we had left things at humans being part of the family of the great apes and henceforward treat all those in the same way?

So what? From theory to practice

This may all seem very theoretical. And indeed, the risk taxonomy is definitely not an aim in itself, but a means to an end. The end of adequately managing all the key risks your organisation faces, including a number of major emerging risks. My concern here is that that isn’t happening, or that Risk isn’t keeping up with the pace of change of its business environment.

Ask yourself the following:

• Do you have your risk appetite defined for climate, cyber and conduct risk, and forthcoming limits, early warning levels and thresholds?
• Do you have the data, the models and the scenario analysis in place to measure and quantify these risks?
• Have you allocated the ‘risk budget’ and the cost of risk for these key risk types to your business lines, products and geographies?
• Have you incorporated the metrics for these risk types in the incentive structures of your management and staff?
• Do you have the risk policies and procedures implemented to assess, report on and mitigate these risks, where possible, and are the necessary controls in place and effective?
• Does your staff have the skills and expertise to truly grasp these risks, and do your board members?
• And if not, is there a clear roadmap in place to address all the above?

Frankly, I don’t think so. I realise I am generalising to make my point, and this might not do all readers of this blog justice. As the saying goes, if the shoe fits, wear it. It would be great to have good examples we can all learn from. And I know there are some. What I am saying is, there is a clear and present need to better address new and emerging risks. It can be done, and overhauling your risk taxonomy is the first step. The world is changing, and risk management needs to adapt.

Also read the earlier parts of this blog series:

• Reimagine risk
• The seven ingredients of risk transformation
• Cost out, value in
• The marketing of risk management